You can return to the original look by selecting English in the language selector
above.

How Patches Are
Installed

Patch Manager uses the appropriate built-in mechanism for an operating system type
to install updates on an instance. For example, on Windows, the Windows Update API
is used, and on Amazon Linux the yum package manager is used.

Choose from the following tabs to learn how Patch Manager
installs patches on an operating system.

WindowsAmazon Linux and Amazon Linux 2RHELUbuntuSLESCentOS

Windows

When a patching operation is performed on a Windows instance, the
instance requests a snapshot of the appropriate patch baseline from
Systems Manager. This snapshot contains the list of all updates available in the
patch baseline that have been approved for deployment. This list of
updates is sent to the Windows Update API, which determines which of the
updates are applicable to the instance and installs them as needed. If
any updates are installed, the instance is rebooted afterwards, as many
times as necessary to complete all necessary patching. The summary of
the patching operation can be found in the output of the Run Command
request. Additional logs can be found on the instance in the
%PROGRAMDATA%\Amazon\PatchBaselineOperations\Logs
folder.

Because the Windows Update API is used to download and install
patches, all Group Policy settings for Windows Update are respected. No
Group Policy settings are required to use Patch Manager, but any
settings that you have defined will be applied, such as to direct
instances to a Windows Server Update Services (WSUS) server.

Note

By default, Windows downloads all patches from Microsoft's Windows
Update site because Patch Manager uses the Windows Update API to
drive the download and installation of patches. As a result, the
instance must be able to reach the Microsoft Windows Update site or
patching will fail. Alternatively, you can configure a WSUS server
to serve as a patch repository and configure your instances to
target that WSUS server instead using Group Policies.

Amazon Linux and Amazon Linux 2

On Amazon Linux and Amazon Linux 2 instances, the patch installation workflow is as
follows:

Apply GlobalFilters as specified in the patch baseline,
keeping only the qualified packages for further processing.

Apply ApprovalRules as specified in the patch baseline.
Each approval rule can define a package as approved.

Apply ApprovedPatches as specified in the patch
baseline. The approved patches are approved for update even if
they are discarded by GlobalFilters or if no approval
rule specified in ApprovalRules grants it
approval.

Apply RejectedPatches as specified in the patch
baseline. The rejected patches are removed from the list of
approved patches and will not be applied.

If multiple versions of a patch are approved, the latest
version is applied.

The YUM update API is applied to approved patches as
follows:

For predefined default patch baselines provided by
AWS, and for custom patch baselines where the
Approved patches include non-security
updates check box is not selected, only patches
specified in updateinfo.xml are
applied (security updates only).

The equivalent yum command for this workflow
is:

sudo yum update-minimal --sec-severity=critical,important --bugfix

For custom patch baselines where the
Approved patches include non-security
updatesis selected, both
patches in updateinfo.xml and those
not in updateinfo.xml are applied
(security and nonsecurity updates).

The equivalent yum command for this workflow
is:

sudo yum update --security --bugfix

The instance is rebooted if any updates were installed.

RHEL

On Red Hat Enterprise Linux instances, the patch installation workflow is as
follows:

Apply GlobalFilters as specified in the patch
baseline, keeping only the qualified packages for further
processing.

Apply ApprovalRules as specified in the patch baseline.
Each approval rule can define a package as approved.

Apply ApprovedPatches as specified in the patch
baseline. The approved patches are approved for update even if
they are discarded by GlobalFilters or if no approval
rule specified in ApprovalRules grants it
approval.

Apply RejectedPatches as specified in the patch
baseline. The rejected patches are removed from the list of
approved patches and will not be applied.

If multiple versions of a patch are approved, the latest
version is applied.

The YUM update API is applied to approved patches as
follows:

For predefined default patch baselines provided by
AWS, and for custom patch baselines where the
Approved patches include non-security
updates check box is not selected, only patches
specified in updateinfo.xml are
applied (security updates only).

The equivalent yum command for this workflow
is:

sudo yum update-minimal --sec-severity=critical,important --bugfix

For custom patch baselines where the
Approved patches include non-security
updatesis selected, both
patches in updateinfo.xml and those
not in updateinfo.xml are applied
(security and nonsecurity updates).

The equivalent yum command for this workflow
is:

sudo yum update --security --bugfix

The instance is rebooted if any updates were installed.

Ubuntu

On Ubuntu Server instances, the patch installation workflow is as
follows:

Apply GlobalFilters as specified in the patch
baseline, keeping only the qualified packages for further
processing.

Apply ApprovalRules as specified in the patch baseline.
Each approval rule can define a package as approved. In
addition, an implicit rule is applied in order to select only
packages with upgrades in security repos. For each package, the
candidate version of the package (which is typically the latest
version) must be part of a security repo.

Apply ApprovedPatches as specified in the patch
baseline. The approved patches are approved for update even if
they are discarded by GlobalFilters or if no approval
rule specified in ApprovalRules grants it
approval.

Apply RejectedPatches as specified in the patch
baseline. The rejected patches are removed from the list of
approved patches and will not be applied.

Apply GlobalFilters as specified in the patch baseline,
keeping only the qualified packages for further processing.

Apply ApprovalRules as specified in the patch baseline.
Each approval rule can define a package as approved.

Apply ApprovedPatches as specified in the patch
baseline. The approved patches are approved for update even if
they are discarded by GlobalFilters or if no approval
rule specified in ApprovalRules grants it
approval.

Apply RejectedPatches as specified in the patch
baseline. The rejected patches are removed from the list of
approved patches and won't be applied.

If multiple versions of a patch are approved, the latest
version is applied.

The Zypper update API is applied to approved patches.

The instance is rebooted if any updates were installed.

CentOS

On CentOS instances, the patch installation workflow is as
follows:

Apply GlobalFilters as specified in the patch
baseline, keeping only the qualified packages for further
processing.

Apply ApprovalRules as specified in the patch baseline.
Each approval rule can define a package as approved.

Apply ApprovedPatches as specified in the patch
baseline. The approved patches are approved for update even if
they are discarded by GlobalFilters or if no approval
rule specified in ApprovalRules grants it
approval.

Apply RejectedPatches as specified in the patch
baseline. The rejected patches are removed from the list of
approved patches and will not be applied.

If multiple versions of a patch are approved, the latest
version is applied.

The YUM update API is applied to approved patches.

The instance is rebooted if any updates were installed.

Javascript is disabled or is unavailable in your
browser.

To use the AWS Documentation, Javascript must be
enabled. Please refer to your browser's Help pages for instructions.